http://australianit.news.com.au/articles/0,7204,21675095%5E15385%5E%5Enbv%5E,00.html By Chris Jenkins The Australian MAY 08, 2007 THE scenario is all-too familiar. A big deal signed off, a few drinks to celebrate. Push on for a bit, then cab it home. A good time had by all. But, oh dear, where's the BlackBerry? If it's not the BlackBerry, it's the laptop. Come back to the car, the window's smashed and the computer is gone. And not only the laptop. Gone too are the contact lists, the sales plan and the intelligence on competitors, all worth far more than a $2000 piece of kit. With more companies giving staff laptops or handhelds to take home, concern over the security of these devices, and the data that resides on them, is growing. Vodafone business product manager Mark Corless says some laptops lack even basic password protection, an oversight brought home very quickly when the hardware goes astray. "That can be a stake in the heart for some customers. There's a very quick realisation of how important that information is," he says. Sometimes, the consequences take on national significance. In 2003, Australian officials were left scrambling when thieves using forged identities stole a laptop from the Department of Transport in Canberra and servers from the Australian Customs service in Sydney. In the US last year, the personal information of more than a million former US servicemen and women was compromised by the theft of a laptop used by an employee of the US Department of Veterans Affairs. In Australia, the theft of companies' mobile computing hardware is fairly common. In last year's AusCERT Computer Crime and Security Survey, 58 per cent of companies surveyed reported having laptops stolen, up from 53 per cent in 2005. Nine per cent of companies said handhelds had been stolen last year, up from 8 per cent in 2005. Forrester ICT consulting director Andrew Milroy says the risks are growing in line with increased usage of mobile devices. At the same time, hardware such as PDAs and smartphones grows ever more capable of storing large amounts of data. "It's difficult to put a number on, but the risk is increasing substantially," Milroy says. "Not many people understand the risks they are taking by putting so much mission-critical information on these devices. "It's a risk that people have been talking about for the past couple of years, but it has become a lot more real lately." After five years of being relatively flat, business interest in mobile applications has tripled in 2007, Vodafone's Corless says. Many industrial-strength applications such as enterprise resource planning and customer relationship management systems from the likes of SAP and Oracle are now commonly available in mobile form. The risk is amplified by the fact that devices and the applications they run are often linked to corporations by high-speed mobile data networks. Forrester predicts overall demand for mobile data services in Australia will grow at 18 to 20 per cent annually over the next five years. In Australia at present, Milroy says, the theft of a laptop or handheld is more likely to be the work of an opportunist. Fortunately, while devices are stolen regularly, it seems there has been little effort dedicated to exploiting the information many of them contain. There is also no real evidence of deliberate industrial espionage, Milroy says. "I can't imagine that you would tell someone to follow a guy around and nick his BlackBerry." Such actions remain a possibility, though, and awareness of the security required for devices used outside the office is gradually increasing, just as awareness of identity theft has cranked up over the past couple of years, Milroy says. Nevertheless, there is still some way to go before organisations realise what they are up against, he says. "It's just going to take a few years before people start taking that risk as seriously as they really should." The reluctance of organisations to talk about their security embarrassments could be masking the true extent of the problem in Australia, IDC senior software analyst Patrik Bihammar suggests. "One problem is that we don't have the same disclosure laws here in Australia as the US does," he says. In California, for example, companies are required by law to notify the public if personal data has been compromised. As with all security problems, awareness is a key issue in the battle to prevent laptops and handhelds from handing over the keys to the castle "Although security is a big issue, I don't think it is paramount in people's minds. They are just thinking about how they can do more and more with these devices in different locations," Milroy says. Dealing with the security of portable devices needs to be part of the overall approach to IT in a company, Milroy says. "Ideally it would all go in line with effective backup and business continuity. It's one of these cultural things that it's going to take people a while to catch up on." Many people don't follow basic backup procedures, such as saving to network drives, on their desktop PCs, so archiving data is even less likely to happen with mobile devices, he says. There are also more concrete approaches. Corless says the BlackBerry is possibly the most secure mobile device at present. After five unsuccessful password attempts, it will automatically wipe all data, he says. Safeguards are built in to prevent the data being wiped accidentally. Because BlackBerries are often used as a mobile extension of the desktop, they tend to carry a lot of critical information. This also means that if they are regularly synced, data-wiped or lost, they can easily be restored to a new handset. The ability to use a wireless data connection to remotely wipe the data on a device has become a popular safeguard, with products available for a range of device classes. Companies need to have policies in place before things go wrong to ensure that appropriate action can be taken, Corless says. For example, it can be a problem for carriers when people ring up and ask to have devices either struck from the network or wiped altogether if the person making the request is not the owner of the device or is not authorised to make the request. For some users, Vodafone creates custom access point names (APNs), which define a group that is allowed to access the network. If a device is not in the group definition, it doesn't get access. "Unless we have enabled you to communicate back to your corporate office, it won't happen," Coreless says. Coca-Cola Amatil and electricity utilities are among the Vodafone customers employing this strategy, he says. Some organisations restrict mobile devices to being thin clients that store no data locally. That way, if they are stolen, all the thief gets is a basic operating system and some hardware. But such a strategy limits the device to online-only use, meaning that if a network is not available, neither is the data. Using data live from the data centre also places greater demands on network performance, which can easily fluctuate while operating in a wireless environment. IDC's Bihammar says data on mobile devices should be encrypted as a matter of course. "Laptop and device encryption and data leakage protection are not as common as they should be," he says. "Data or whole-disk encryption is clearly the first step to make it difficult for criminals to access any data on the device," he says. "Organisations need to have the right policies in place and the right technologies to enforce the polices and lock down intellectual property from leaking out of their organisations. "Whether through loss of mobile devices and physical media or through email, instant messaging and other messaging protocols." As ever, the organisations most at risk of having their data compromised or stolen via portable devices are the ones that lack the resources to enforce security policies. Small and medium businesses are considered at particular risk. For larger companies, compliance, both with external laws and with internal policies, is looming as a larger issue and is forcing organisations to develop appropriate security policies, Milroy says. "Organisations are being forced to be much more transparent. If you are public and you are being scrutinised, you want to be seen to be complying with certain standards, whether they're mandatory or not," he says. Like the growth of internet use in organisations, the arrival of fleets of mobile devices is a tidal change unlikely to be held back by security concerns. For that reason, security is eventually going to have to be built into devices, Milroy says. "If it's not built in, you're not going to be able to sell it." _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 08 2007 - 22:12:32 PDT